b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                        Sufficient Emphasis Was Not\n                 Placed on Resolving Security Vulnerabilities\n                    When Restoring the Electronic Fraud\n                              Detection System\n\n\n\n                                           June 14, 2007\n\n                              Reference Number: 2007-20-108\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                 June 14, 2007\n\n\n MEMORANDUM FOR CHIEF, CRIMINAL INVESTIGATION\n                CHIEF INFORMATION OFFICER\n                CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n FROM:                        Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 Sufficient Emphasis Was Not Placed on\n                              Resolving Security Vulnerabilities When Restoring the Electronic\n                              Fraud Detection System (Audit # 200720028)\n\n This report presents the results of our review to assess the effectiveness of the security controls\n testing conducted as part of the certification and accreditation of the Electronic Fraud Detection\n System (hereafter referred to as the EFDS or System). We conducted this review to follow up on\n our Fiscal Year 2006 audit report,1 which stated the security of the System had not been properly\n assessed since 2001.\n\n Impact on the Taxpayer\n The EFDS is used by the Internal Revenue Service (IRS) Criminal Investigation Division to\n detect fraudulent returns and is the IRS\xe2\x80\x99 second largest repository of taxpayer data. Security\n over the System is vital to ensure it is available to prevent fraud and to protect the privacy of\n taxpayers\xe2\x80\x99 personal information. Because the focus was to restore the System for the start of the\n 2007 Filing Season,2 insufficient emphasis was placed on the System\xe2\x80\x99s security controls. Until\n security control weaknesses are corrected, the Criminal Investigation Division is jeopardizing the\n confidentiality, integrity, and availability of the System and the taxpayer data residing on it.\n\n\n\n\n 1\n   A Complete Certification and Accreditation Is Needed to Ensure the Electronic Fraud Detection System Meets\n Federal Government Security Standards (Reference Number 2006-20-178, dated September 29, 2006).\n 2\n   The period from January through mid-April when most individual income tax returns are filed.\n\x0c                            Sufficient Emphasis Was Not Placed on Resolving\n                               Security Vulnerabilities When Restoring the\n                                    Electronic Fraud Detection System\n\n\n\nSynopsis\nOn January 16, 2007, the IRS launched a restored EFDS. Prior to the System\xe2\x80\x99s restoration, the\nMission Assurance and Security Services organization conducted a certification of the System\nthat included a thorough testing of the security controls in the application, database, and\nsupporting computers. The Criminal Investigation Division (the System owner) received these\ntest results prior to the System restoration in January 2007. The Mission Assurance and Security\nServices organization followed National Institute of Standards and Technology3 guidance in\nselecting the controls to be tested and in applying the appropriate test procedures to protect and\nevaluate the confidentiality, integrity, and availability of the System and the taxpayer data\nresiding on it.\nThe EFDS security testing was conducted in two phases: one in September 2006 and one in\nJanuary 2007. The January 2007 test results identified 34 security vulnerabilities that were also\nidentified in the September 2006 test results. The vulnerabilities occurred in configuration\nmanagement, user identification, system and communications protection, and detection controls.\nWe believe the Criminal Investigation Division and the EFDS Project Office missed an\nopportunity during the time between the two tests to correct some of the significant security\nvulnerabilities prior to restoring the System.\nBecause the EFDS Project Office was primarily focused on implementing the restored System\nfor the start of the 2007 Filing Season, insufficient emphasis was placed on the System\xe2\x80\x99s security\ncontrols. In addition, the Criminal Investigation Division did not coordinate with nor pursue a\ncommitment from the EFDS Project Office to correct security vulnerabilities or plan corrective\nactions for those vulnerabilities. As a result, the restored System continues to operate with\nsignificant security vulnerabilities. Until corrective actions are taken, the Criminal Investigation\nDivision and the EFDS Project Office are jeopardizing the confidentiality, integrity, and\navailability of the System and the taxpayer data residing on it.\nWe also noted the EFDS security certification memorandum contained a recommendation that\nthe Chief, Criminal Investigation, grant a \xe2\x80\x9crestricted authorization to operate\xe2\x80\x9d for a period of no\nmore than 1 year. A \xe2\x80\x9crestricted authorization to operate\xe2\x80\x9d is not a valid accreditation decision.\nBased on National Institute of Standards and Technology guidance, an Interim Authorization to\nOperate should be issued when significant vulnerabilities have been identified that can be\ncorrected timely. Considering the nature of the weaknesses identified for the EFDS, an Interim\nAuthorization to Operate would have been more appropriate and would have resulted in more\nemphasis by IRS management to ensure the vulnerabilities were corrected.\n\n\n3\n The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines, including minimum requirements, for providing adequate information security\nfor all Federal Government agency operations and assets.\n                                                                                                               2\n\x0c                         Sufficient Emphasis Was Not Placed on Resolving\n                            Security Vulnerabilities When Restoring the\n                                 Electronic Fraud Detection System\n\n\n\nRecommendation\nThe Chief, Criminal Investigation, should issue an Interim Authorization to Operate for the\nEFDS and require specific terms and conditions be met before an Authorization to Operate is\ngranted. The expiration date should be based on corrective action milestone dates for the\nsecurity vulnerabilities identified.\n\nResponse\nIRS management disagreed with our recommendation, and the Chief, Criminal Investigation, has\ngranted the EFDS an Authorization to Operate. The Chief, Criminal Investigation, the\nauthorizing official who made the EFDS accreditation decision and to whom our\nrecommendation was made, did not respond to the draft report. The response was provided by\nthe Chief, Mission Assurance and Security Services, the certification agent who recommended\nthe Chief, Criminal Investigation, grant an Authorization to Operate. In the response, the Chief,\nMission Assurance and Security Services, stated that the decision of the Chief, Criminal\nInvestigation, to issue an Authorization to Operate is fully supported because (1) no \xe2\x80\x9chigh\xe2\x80\x9d\nsecurity risks were identified for the EFDS and (2) an updated Plan of Action and Milestones is\nin place and being maintained to address issues identified during the certification that have not\nyet been resolved. Management\xe2\x80\x99s complete response to the draft report is included as\nAppendix IV.\n\nOffice of Audit Comment\nWe disagree with IRS management\xe2\x80\x99s response to our recommendation. The weaknesses\nidentified during security testing increase the risk that unauthorized accesses to the EFDS could\nbe made without detection. We consider these weaknesses to be significant, thereby warranting\nissuance of an Interim Authorization to Operate. We recognize the accreditation decision is\nsubjective; however, we believe an Interim Authorization to Operate is the more prudent\naccreditation decision for the EFDS because it will bring increased attention to resolving the\nsignificant security weaknesses of this important system.\nWhile we consider our disagreement to be significant, we are not elevating it to the Department\nof the Treasury Assistant Secretary for Management and the Chief Financial Officer. Our review\nwas limited to one system and consequently we have not identified a trend warranting their\ninvolvement. Instead, we will be providing an informational copy of this report to the\nDepartment of the Treasury Chief Information Officer under separate cover. Copies of this\nreport are also being sent to the IRS managers affected by the report recommendation. Please\ncontact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector\nGeneral for Audit (Information Systems Programs), at (202) 622-8510.\n\n                                                                                                    3\n\x0c                                 Sufficient Emphasis Was Not Placed on Resolving\n                                    Security Vulnerabilities When Restoring the\n                                         Electronic Fraud Detection System\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Security of the Electronic Fraud Detection System Was\n          Adequately Tested ........................................................................................Page 3\n          Security Vulnerabilities Identified During Testing Were Not\n          Addressed Prior to Restoring the Electronic Fraud Detection System .........Page 3\n          The Electronic Fraud Detection System Accreditation Decision\n          Does Not Comply With Federal Government Security Standards ...............Page 4\n                    Recommendation 1:..........................................................Page 5\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 7\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 8\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 9\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 10\n\x0c               Sufficient Emphasis Was Not Placed on Resolving\n                  Security Vulnerabilities When Restoring the\n                       Electronic Fraud Detection System\n\n\n\n\n                        Abbreviations\n\nEFDS; System      Electronic Fraud Detection System\nIRS               Internal Revenue Service\nMA&SS             Mission Assurance and Security Services\nNIST              National Institute of Standards and Technology\n\x0c                            Sufficient Emphasis Was Not Placed on Resolving\n                               Security Vulnerabilities When Restoring the\n                                    Electronic Fraud Detection System\n\n\n\n\n                                           Background\n\nThe Internal Revenue Service (IRS) Criminal Investigation Division is responsible for detecting\nand investigating criminal violations of the Internal Revenue Code and financially related\ncrimes. The Electronic Fraud Detection System (hereafter referred to as the EFDS or System),\nan automated compliance system, was designed to maximize fraud detection at the time tax\nreturns are filed, to prevent the issuance of questionable refunds. The System is the primary\ninformation system used to support the Criminal Investigation Division Questionable Refund\nProgram and is the IRS\xe2\x80\x99 second largest repository of taxpayer data. Because it contains and\nprocesses highly sensitive taxpayer information, security over the System is vital to ensure both\nthe System and the data residing on it are protected from unauthorized access and misuse.\nThe EFDS began as a client-server application, allowing users to access the application through\nthe IRS network. In June 2001, the IRS approved the conversion to a web-based application,\nwhich would enable users to access the System through the IRS Intranet. While the web-based\napplication was under development, the client-server application continued to operate. The\nweb-based application was expected to be available to process tax returns in 2006, so the\nclient-server application was shut down in December 2005. However, the web-based application\nnever became operational, and the client-server application could not be restored in time for use\nduring the 2006 Filing Season.1 As a result, in a previous audit report,2 we estimated\n$318.3 million in fraudulent refunds may have been issued as of May 19, 2006.\nIn April 2006, the IRS stopped all development activities for the web-based application and\nfocused all efforts on restoring the client-server application for use in January 2007 for the\n2007 Filing Season. The EFDS Project Office, located in the Modernization and Information\nTechnology Services organization, was responsible for restoring the application. On\nJanuary 16, 2007, the IRS launched the restored EFDS client-server application.\nThis review was a follow-up to a prior Treasury Inspector General for Tax Administration audit.3\nIn September 2006, we reported that the security of the System had not been properly assessed\nsince 2001. We recommended the Chief, Mission Assurance and Security Services (MA&SS),\ncoordinate with the Chief, Criminal Investigation, to complete a full security certification and\naccreditation for the EFDS client-server application and supporting computers before the\nrestored System was permitted to operate. The Chief, MA&SS, agreed with our\n\n\n1\n  The period from January through mid-April when most individual income tax returns are filed.\n2\n  The Electronic Fraud Detection System Redesign Failure Resulted in Fraudulent Returns and Refunds Not Being\nIdentified (Reference Number 2006-20-108, dated August 9, 2006).\n3\n  A Complete Certification and Accreditation Is Needed to Ensure the Electronic Fraud Detection System Meets\nFederal Government Security Standards (Reference Number 2006-20-178, dated September 29, 2006).\n                                                                                                       Page 1\n\x0c                            Sufficient Emphasis Was Not Placed on Resolving\n                               Security Vulnerabilities When Restoring the\n                                    Electronic Fraud Detection System\n\n\n\nrecommendation and began coordination with the Chief, Criminal Investigation, to certify and\naccredit the restored System.\nThis review was performed at the MA&SS organization office in New Carrollton, Maryland, and\nthe Enterprise Computing Center4 in Memphis, Tennessee, during the period November 2006\nthrough February 2007. The audit was conducted in accordance with Government Auditing\nStandards. Detailed information on our audit objective, scope, and methodology is presented in\nAppendix I. Major contributors to the report are listed in Appendix II.\n\n\n\n\n4\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n                                                                                                      Page 2\n\x0c                            Sufficient Emphasis Was Not Placed on Resolving\n                               Security Vulnerabilities When Restoring the\n                                    Electronic Fraud Detection System\n\n\n\n\n                                    Results of Review\n\nThe Security of the Electronic Fraud Detection System Was\nAdequately Tested\nNational Institute of Standards and Technology (NIST) guidance5 describes certification as a\ncomprehensive assessment of the security controls in a system. An accreditation is an official\nmanagement decision to authorize the operation of an information system and to explicitly\naccept the risk to agency operations, agency assets, or individuals based on implementation of an\nagreed-upon set of security controls. IRS policies and Federal Government security standards\nrequire that the security of all information systems be independently assessed, certified, and\naccredited at least every 3 years. Regular testing of security controls is necessary to determine\nthe extent to which these controls are implemented correctly, operating as intended, and meeting\nthe security requirements for the system.\nIn our September 2006 EFDS security audit report, we stated that key application security\ncontrols were not tested when the System was certified and accredited in 2004. Instead, testing\nwas limited to the supporting Windows-based operating system. As a result, the IRS had limited\nassurance that the System security controls were effective in protecting taxpayer information\nfrom unauthorized disclosure.\nThe recently conducted certification of the System included a thorough testing of the security\ncontrols in the application, database, and supporting computers. The MA&SS organization\nconducted the tests and reported the results to the Criminal Investigation Division (the System\nowner) prior to the System\xe2\x80\x99s restoration on January 16, 2007. The MA&SS organization\nfollowed NIST guidance in selecting the controls to be tested and in applying the appropriate test\nprocedures to protect and evaluate the confidentiality, integrity, and availability of the System\nand the taxpayer data residing on it.\n\nSecurity Vulnerabilities Identified During Testing Were Not Addressed\nPrior to Restoring the Electronic Fraud Detection System\nNIST guidance states that security vulnerabilities identified during certification testing should be\nlisted in a Plan of Action and Milestones. This document describes the measures that have been\n\n5\n NIST Guide for the Security Certification and Accreditation of Federal Information Systems (Special\nPublication 800-37). The NIST, under the Department of Commerce, is responsible for developing standards and\nguidelines, including minimum requirements, for providing adequate information security for all Federal\nGovernment agency operations and assets.\n                                                                                                       Page 3\n\x0c                         Sufficient Emphasis Was Not Placed on Resolving\n                            Security Vulnerabilities When Restoring the\n                                 Electronic Fraud Detection System\n\n\n\nimplemented or planned to correct any deficiencies noted during the assessment of the security\ncontrols and to reduce or eliminate known vulnerabilities in the information system. For the\nEFDS, the Criminal Investigation Division is responsible for preparing, monitoring, and updating\nthe Plan of Action and Milestones until the security vulnerabilities are corrected.\nThe System security testing was conducted in two phases. The first phase, conducted in\nSeptember 2006, was based on the configuration of the System at that time. The second phase\nwas conducted in January 2007 after upgrades had been made to the database and operating\nsystem. In the System security test plan, the MA&SS organization stated the decision to conduct\ntesting in two phases presented an opportunity to resolve any major vulnerabilities discovered\nduring the first testing phase.\nThe Criminal Investigation Division and the EFDS Project Office did not take advantage of this\nopportunity and, therefore, security vulnerabilities still have not been corrected. The test results\nin January 2007 identified 34 security vulnerabilities that had been initially identified in the\nSeptember 2006 tests. These security vulnerabilities occurred in configuration management,\nuser identification, system and communications protection, and detection controls. The MA&SS\norganization characterized the combination of user identification and detection controls as\nhigh-priority security vulnerabilities because an attacker could easily subvert an account with a\nweak password with little chance of detection. Actions and milestones to correct these\nvulnerabilities were not documented in a Plan of Action and Milestones until after the System\nwas restored and operating.\nThe EFDS Project Office was primarily focused on restoring the System for the start of the\n2007 Filing Season and provided insufficient emphasis to correcting the System\xe2\x80\x99s security\nvulnerabilities. In addition, the Criminal Investigation Division did not coordinate with nor\npursue a commitment from the EFDS Project Office to correct security vulnerabilities or plan\ncorrective actions for those security vulnerabilities when they were identified in September 2006.\nAs a result, the restored System was implemented and continues to operate with significant\nsecurity vulnerabilities that jeopardize the confidentiality, integrity, and availability of both the\nSystem and the data residing on it.\n\nThe Electronic Fraud Detection System Accreditation Decision Does\nNot Comply With Federal Government Security Standards\nBased on NIST guidance, the authorizing official must decide whether a system should be\nallowed to operate. The authorizing official has three options: (1) authorize the system to\noperate; (2) authorize the system to operate on an interim basis under strict terms and conditions,\nknown as an Interim Authorization to Operate; or (3) deny authorization to operate the system.\nBy approving operation of the system, the authorizing official assumes responsibility for the\nsystem and becomes accountable for the risks associated with operating the system.\n\n\n                                                                                              Page 4\n\x0c                             Sufficient Emphasis Was Not Placed on Resolving\n                                Security Vulnerabilities When Restoring the\n                                     Electronic Fraud Detection System\n\n\n\nThe EFDS security certification memorandum contained a recommendation that the Chief,\nCriminal Investigation, as the authorizing official for the System, grant a \xe2\x80\x9crestricted\nauthorization to operate\xe2\x80\x9d for a period of no more than 1 year. A \xe2\x80\x9crestricted authorization to\noperate\xe2\x80\x9d is not a valid accreditation decision based on NIST guidance. We were advised that the\ndecision to grant the authorization to operate was made because the certifying agent and\nauthorizing official believed the vulnerabilities identified were not significant enough to warrant\nissuance of an Interim Authorization to Operate. The term \xe2\x80\x9crestricted\xe2\x80\x9d was added to emphasize\nto the authorizing official that the System would need to be recertified within 1 year due to the\nimportance of the System for identifying fraud each filing season.\nNIST guidance states that an Interim Authorization to Operate is rendered when identified\nvulnerabilities are significant but can be addressed timely. Considering the nature of the\nweaknesses identified for the EFDS, an Interim Authorization to Operate should have been\nissued.\nWe understand the Chief, MA&SS, as the certifying agent, intended to notify the authorizing\nofficial that the System needed to be recertified within 1 year. However, because agencies are\nmeasured on the percentage of systems that have full authorizations to operate,6 an Interim\nAuthorization to Operate is likely to bring more emphasis by IRS management to resolve a\nsystem\xe2\x80\x99s vulnerabilities, so it can receive a full Authorization to Operate. The Interim\nAuthorization to Operate should not be rescinded until the risks to the agency have been\ndecreased to an acceptable level.\nWithout additional emphasis by the IRS, we are concerned the significant vulnerabilities\nidentified for the EFDS will not be corrected in time for the next filing season. In addition, the\ntrue status of security controls for the System is not being accurately reported.\n\nRecommendation\nRecommendation 1: The Chief, Criminal Investigation, should issue an Interim\nAuthorization to Operate for the EFDS and require that specific terms and conditions be met\nbefore an Authorization to Operate is granted. The expiration date should be based on corrective\naction milestone dates in the EFDS Plan of Action and Milestones.\n        Management\xe2\x80\x99s Response: IRS management disagreed with our recommendation,\n        and the Chief, Criminal Investigation, has granted the EFDS an Authorization to Operate.\n        The Chief, Criminal Investigation, the authorizing official who made the EFDS\n        accreditation decision and to whom our recommendation was made, did not respond to\n        the draft report. The response was provided by the Chief, MA&SS, the certification\n\n6\n  Federal Information Security Management Act, Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002). This law\nrequires agencies to report annually on the status of key security measurements, including the percentage of systems\ncertified and accredited.\n                                                                                                            Page 5\n\x0c                 Sufficient Emphasis Was Not Placed on Resolving\n                    Security Vulnerabilities When Restoring the\n                         Electronic Fraud Detection System\n\n\n\nagent who recommended the Chief, Criminal Investigation, grant an Authorization to\nOperate. In the response, the Chief, MA&SS, stated that the decision of the Chief,\nCriminal Investigation, to issue an Authorization to Operate is fully supported because\n(1) no \xe2\x80\x9chigh\xe2\x80\x9d security risks were identified for the EFDS and (2) an updated Plan of\nAction and Milestones is in place and being maintained to address issues identified\nduring the certification that have not yet been resolved.\nOffice of Audit Comment: We disagree with IRS management\xe2\x80\x99s response to our\nrecommendation. The weaknesses identified during security testing increase the risk that\nunauthorized accesses to the EFDS could be made without detection. We consider these\nweaknesses to be significant, thereby warranting issuance of an Interim Authorization to\nOperate. We recognize the accreditation decision is subjective; however, we believe an\nInterim Authorization to Operate is the more prudent accreditation decision for the EFDS\nbecause it will bring increased attention to resolving the significant security weaknesses\nof this important system.\n\n\n\n\n                                                                                   Page 6\n\x0c                            Sufficient Emphasis Was Not Placed on Resolving\n                               Security Vulnerabilities When Restoring the\n                                    Electronic Fraud Detection System\n\n\n\n                                                                                              Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to assess the effectiveness of the security controls\ntesting conducted as part of the certification and accreditation of the EFDS (the System). To\naccomplish this objective, we:\nI.      Determined whether all applicable security controls were tested.\n        A. Identified the mandatory controls for a moderate impact system from the NIST\n           Recommended Security Controls for Federal Information Systems (Special\n           Publication 800-53).1\n        B. Compared the System controls tested during the security test and evaluation to the\n           controls identified from Special Publication 800-53 for a moderate impact system and\n           determined whether all recommended controls were tested.\nII.     Determined whether all applicable controls were adequately tested to determine whether\n        the controls were in place, operating as intended, and producing the desired results.\n        A. For each control tested, identified the applicable assessment procedures from the\n           NIST Guide for Assessing the Security Controls in Federal Information Systems\n           (Special Publication 800-53A).\n        B. Compared the test cases or assessment methods used to test the System controls with\n           the recommended assessment procedures contained in Special Publication 800-53A to\n           identify any gaps in the test cases.\nIII.    Determined whether the accreditation recommendation made by the MA&SS\n        organization certification agent was supported by and consistent with the results of the\n        security testing.\nIV.     Determined whether all the System security vulnerabilities are being tracked for\n        remediation.\n\n\n\n\n1\n The NIST, under the Department of Commerce, is responsible for developing standards and guidelines, including\nminimum requirements, for providing adequate information security for all Federal Government agency operations\nand assets.\n                                                                                                        Page 7\n\x0c                       Sufficient Emphasis Was Not Placed on Resolving\n                          Security Vulnerabilities When Restoring the\n                               Electronic Fraud Detection System\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen R. Mullins, Director\nMarybeth Schumann, Audit Manager\nJoan Raniolo, Lead Auditor\nRichard Borst, Senior Auditor\nMichael Howard, Senior Auditor\n\n\n\n\n                                                                                         Page 8\n\x0c                       Sufficient Emphasis Was Not Placed on Resolving\n                          Security Vulnerabilities When Restoring the\n                               Electronic Fraud Detection System\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief, Criminal Investigation SE:CI\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n       Director, Program Oversight Office OS:CIO:SM:PO\n\n\n\n\n                                                                         Page 9\n\x0c        Sufficient Emphasis Was Not Placed on Resolving\n           Security Vulnerabilities When Restoring the\n                Electronic Fraud Detection System\n\n\n\n                                                  Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 10\n\x0cSufficient Emphasis Was Not Placed on Resolving\n   Security Vulnerabilities When Restoring the\n        Electronic Fraud Detection System\n\n\n\n\n                                                  Page 11\n\x0cSufficient Emphasis Was Not Placed on Resolving\n   Security Vulnerabilities When Restoring the\n        Electronic Fraud Detection System\n\n\n\n\n                                                  Page 12\n\x0c'